Just wondering on how to build a kernel-level facility which would
require shared libraries and executables to be "keyed" or even
"signed" to run on linux.
This is to prevent execution of software not specifically authorized.
Applications:
- Improve security
- License management
- Prevent unauthorized software installation
- Black-listing e.g. SCO libraries and executables
Regards
Michael
* Michael Frank ([email protected]) wrote:
> Just wondering on how to build a kernel-level facility which would
> require shared libraries and executables to be "keyed" or even
> "signed" to run on linux.
Take a look at Cryptomark or DigSig. They at least cover the
executables bit.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
>>>>> "Michael" == Michael Frank <[email protected]> writes:
Michael> Just wondering on how to build a kernel-level facility which
Michael> would require shared libraries and executables to be "keyed"
Michael> or even "signed" to run on linux.
Michael> This is to prevent execution of software not specifically
Michael> authorized.
The shared libraries are going to cause you 'issues' since these are
all loaded by dynamic linker. All the kernel loads is ld.so, the
rest of them are mmap'ed from userland.
So if you want to take this approach, you would have to hack a special
ld.so that only allows your authorized libraries and only authorize
the kernel to load that dynamic linker. Otherwise you have to do
content validation for all mmap operations.
Jes